A new Congressional Research Service (CRS) report recently explored the legal issues surrounding the federal law that provides potential approaches to combat ransomware attacks in the wake of rising cybercrime and cybersecurity attacks. The report summarizes the potential for criminal prosecution under federal statutes, such as the Computer Fraud and Abuse Act (CFAA) and the Economic Espionage Act (EEA), focusing on the legal issues facing ransomware victims, in particular, whether victims risk legal liability by making ransomware payments.
The report also summarizes federal laws governing public and private-sector cybersecurity, including preparedness and incident response. Cyber preparedness laws require federal agencies to secure their networks and authorize the Cybersecurity and Infrastructure Security Agency (CISA) and Office of Personnel Management (OPM) to establish federal network security requirements.
While the illegality of ransomware attacks is relatively straightforward, ransomware victims face more nuanced legal issues when deciding whether to make ransomware payments, the CRS report said. “No federal statutes expressly criminalize making ransom or ransomware payments. However, federal laws heavily restrict transactions with certain parties and could implicitly make ransomware payments to such parties a crime,” it added.
Other cyber preparedness laws authorize federal agencies to assist private entities operating in critical infrastructure sectors in securing their systems. Moreover, many data protection laws include requirements for covered entities to safeguard customer or consumer data, the report said. If a ransomware attack or other cyber incident occurs, federal law requires CISA and other federal agencies to work together to mitigate harm to federal networks and authorizes them to assist private entities in incident response and damage mitigation.
Following a series of high-profile cyberattacks and the interruptions they caused, federal law enforcement agencies and members of Congress also renewed focus on the problem of ransomware, malicious software (malware) generally used for extortion, which deny users access to their data and information systems. Last year, the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) “received 2,474 complaints identified as ransomware with adjusted losses of over $29.1 million.” That figure is likely to be understated, as many ransomware attacks go unreported.
The CRS operates as shared staff to congressional committees and members of Congress. Its experts assist at every stage of the legislative process — from the early considerations that precede bill drafting, through committee hearings and floor debate, to the oversight of enacted laws and various agency activities.
Federal laws governing cybersecurity preparedness can be divided into federal network security, critical infrastructure protection, and data protection and privacy, the CRS report said. Beyond the federal networks, federal law authorizes various agencies to develop and share resources to protect the nation’s critical infrastructure sectors. In addition to these cyber preparedness laws, several federal data protection laws impose cybersecurity requirements on private entities that collect a variety of information from consumers and other individuals.
When a cyber intrusion occurs, some federal laws may apply, depending on the target of the intrusion. For federal incidents, occurrences that jeopardize a federal information system or constitute a ‘violation of law, security policies, security procedures, or acceptable use policies.’ FISMA requires each agency to develop, document, and implement procedures for detecting, reporting, and responding to security incidents, including mitigating any risks ‘before substantial damage is done.’ For major incidents, FISMA requires agencies to notify Congress within seven days ‘after the date on which there is a reasonable basis to conclude that the major incident has occurred,’ within a reasonable time with a more detailed summary of the incident.
In the case of private critical infrastructure sector entities, there is no generally applicable law requiring disclosure of cyber intrusions, though at least two such bills have been introduced in the 117th Congress. One of these bills, the Cyber Incident Reporting Act of 2021, would require covered entities to report ransom payments to CISA within twenty-four hours of payment. Some critical infrastructure sectors, however, are subject to sector-specific reporting requirements; for example, the TSA issued a security directive in May obligating pipeline owners ‘to report confirmed and potential cybersecurity incidents’ to CISA.
Private entities that are not subject to mandatory disclosure rules may voluntarily report cyber incidents to either CISA or the FBI’s Internet Crime Complaint Center, according to the CRS report. Information submitted by a private critical infrastructure sector entity for critical infrastructure protection purposes is protected from disclosure and cannot be used in civil actions against the private entity. Depending on the critical infrastructure sector, however, sector-specific data protection laws may subject private entities to administrative penalties or civil liability if the entity failed to adequately safeguard protected information, it added.
The Department of Justice (DOJ) launched last week the Civil Cyber-Fraud Initiative, which will combine the department’s expertise in civil fraud enforcement, government procurement, and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.
Last month, the CRS released a report that analyzed cybersecurity risks that exist in the pipeline network, which is vital to the economy and integral to the nation’s energy supply, with links to power plants, refineries, airports, and other critical infrastructure sectors. Pipeline companies employ technologies that enable them to achieve business and operational efficiencies, but these technologies are susceptible to cybersecurity risks—and these risks have been growing.